WebApp Throwdown!

WebApp Scanning Throwdown!

Important Follow-up!

I have to apologize for errors in my original article. I missed a few findings in some of the reports, and mis-read a few items. Just to make this absolutely clear, errors in analysis of the results are my own fault, not a reflection of the products. And as stated, the configurations used were not ideal.

Please visit the downloads section for a spreadsheet providing the vulnerabilities in a matrix format and which tools identified them. Ultimately, there’s not a lot of difference though Nexpose did manage to get a couple that Nessus missed. All three tools missed quite a few more subtle vulnerabilities in the test site, however.

I feel the most important conclusions that can be drawn from this comparison are:

You can’t rely on one tool to find all your issues

You need to make sure your tools are properly configured for maximum results

No tool will find everything, but it will be a good indicator you may need to take something apart to look at it more closely

The Setup

I used three different computers, one for each scanning product. These were identical NC6715b HP laptop computers, AMD 64-bit processors with 4GB of RAM. Core Impact ran under Windows XP Pro with SP3, while Nexpose and Nessus ran under RedHat Enterprise Linux 5.4.

I chose the fake banking website Altoro Mutual as the target for this throwdown due to its independence from the three products being used, and of course we did not want to attack any real targets.

For Nexpose, I used the built-in Web Audit scanning template, and merely configured a site with the target host. In Core Impact, I simply used the Rapid Penetration Testing scan and attacks under the Web assessment section. For Nessus, I had to create my own scanning policy by enabling just those plugins related to WebApp scanning. I used this Nessus Document and this discussion on Tenable Security’s website as a source to determine what plugins to enable.

Core Impact is proxy-aware and had no problem performing its attacks through an internal proxy to the Internet. In contrast, both Nexpose and Nessus are proxy-ignorant and had to be directly connected to the evil, festering Internet in order to perform their scans.

The Results

All three scanners correctly identified the SQL injection vulnerability in the “login.aspx” URL of the demo.testfire.net website. Additionally, all three were able to find Cross-Site Scripting (XSS) vulnerabilities in “login.aspx”, “search.aspx” and “comment.aspx”.

However, Core Impact did not identify any other WebApp vulnerabilities in the target. Both Nessus and Nexpose found additional issues, such as browsable directories, lack of encryption, and weak authentication.

Nexpose flagged the “/bank/” directory as browsable. Nessus found the same directory, but didn’t explicitly list it as browsable. Nessus found additional directories (“/Admin/”, “/admin/” and “/images”) but they are not browsable.

Nessus provided the most results, with additional finds that Nexpose and Core Impact didn’t catch, including:

A possible SQL injection vulnerability in “customize.aspx”

The website uses plain text authentication (i.e. no HTTPS)

Auto-Complete is not disabled on the login form (a feature that tells browsers to not allow the end-user to store their password in their browser for later user)

The Upshot

First off, let’s be clear that Core Impact is a penetration testing tool, not a vulnerability assessment tool. It only checks for vulns that it could potentially exploit to install agents. There are many potential vulnerabilities it will not flag (such as unencrypted webpages) which are still quite significant for web application security. Anyone who is using Core Impact for vulnerability assessments has failed to read the documentation. Core Impact is a great tool used in conjunction with actual vulnerability scanners

Both Nessus and Nexpose worked great, but Nessus had to be configured to do WebApp scanning. It is possible the configurations used in this Throwdown were not optimal. In the end, both Nessus and Nexpose caught the most serious problems (SQL Injection and XSS). And both scanners have a “free” version available. It’s tough to call a real winner here. We may have to perform a tie-braker!

You may download the reports generated from this Throwdown, as well as the session files for Nessus and Core Impact.